Methods, apparatuses, and systems for network analysis

ABSTRACT

Methods, systems, apparatuses, and computer readable media for providing a network analysis system are disclosed. An example of a system for providing a network analysis system includes at least one satellite device configured to monitor wireless network traffic to determine at least one network communication event, generate an event message based on the at least one network communication event, and transmit the event message. The system also includes a controller device configured to receive the event message, determine an identity of at least one device communicating during the network communication event, determine a network status based at least in part on the identity of the at least one device, and provide the network status via an interface.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority to U.S. Provisional Application No.62/061,205, filed Oct. 8, 2014, the entire contents of which areincorporated herein by reference.

TECHNOLOGICAL FIELD

Example embodiments of the present invention relate generally todetection and management of network devices and, more particularly, to anetwork analysis device for detection, management, troubleshooting, andoptimization of a network.

BACKGROUND

The applicant has discovered problems with current methods, systems, andapparatuses for managing network devices. Through applied effort,ingenuity, and innovation, Applicant has solved many of these identifiedproblems by developing a solution that is embodied by the presentinvention, which is described in detail below.

BRIEF SUMMARY

Methods, apparatuses, and computer program products provide a networkanalysis device for monitoring, management, and troubleshooting of anetwork. The network analysis device is capable of detecting thepresence of devices on a wireless network by monitoring wireless networktraffic. Detected devices may be presented via a graphical userinterface to provide an interface for displaying the presence ofdetected devices, optimizing the performance of detected devices,troubleshooting errors associated with detected devices, and the like.Embodiments may also assist with management of device warranty andinsurance plans and registering devices for said warranty and insuranceplans. Yet further embodiments may take certain actions upon detectionof particular devices, such as generating a notification when anunauthorized device is detected. In some embodiments, a rules engine maytake particular actions upon detection of devices. For example, a usermay utilize device detection features of the digital concierge to detectthe comings and goings of particular users and log the times of suchcomings and goings. Some example embodiments may employ additional oralternative device detection features, such as bar code scanners,receipt readers, stock keeping unit (SKU) readers, or the like.

Embodiments include a system for providing computer network analysis.The system includes at least one satellite device configured to monitorwireless network traffic to determine at least one network communicationevent between a first network device and a second network device otherthan the satellite device, generate an event message based on the atleast one network communication event, and transmit the event message.The system also includes a controller device configured to receive theevent message, determine an identity of at least one devicecommunicating during the network communication event, determine anetwork status based at least in part on the identity of the at leastone device, and provide the network status via a management interface.

The event message may include a signal strength of the networkcommunication event and the controller device may be further configuredto determine a location of the at least one device based at least inpart on the signal strength. The event message may include a protocolidentifier. The controller device may be further configured to identifya device type for the at least one device based at least in part on theevent message. The at least one satellite device may be furtherconfigured to monitor the wireless network traffic by detecting networktransmissions between a first network device and a second networkdevice, the first network device and the second network device may bothbe different devices from the at least one satellite device and thecontroller device. The event message may include a packet header of thenetwork communication event. A clock of the at least one satellitedevice and a clock of the controller device may be synchronized with oneanother. The event message may include a timestamp derived based on areading from the clock of the at least one satellite device. The networkcommunication event may be a network message transmitted according to an802.11 protocol, a ZigBee protocol, or a Bluetooth protocol.

Embodiments also include a method for providing a network analysissystem. The method includes receiving, at a controller device, a firstevent message from a first satellite device, the first event messagecomprising content based on a first network communication event betweena first network device and a second network device, receiving, at thecontroller device, a second event message from a second satellitedevice, the second event message comprising content based on a secondnetwork communication event between a third network device and a fourthnetwork device, and processing, by the controller device, the firstevent message and the second event message to determine a networkstatus, wherein the network status comprises an indicator of thepresence of each of the first, second, third, and fourth networkdevices. The first event message may include a signal strength of thefirst network communication event and wherein the controller device isfurther configured to determine a location of the first network devicebased at least in part on the signal strength. The first event messagemay include a protocol identifier. The controller device may be furtherconfigured to identify a device type for each of the first networkdevice and the second network device based at least in part on the firstevent message. The at least one satellite device may be furtherconfigured to monitor the wireless network traffic by detecting networktransmissions between a first network device and a second networkdevice, the first network device and the second network device may bothbe different devices from the at least one satellite device and thecontroller device. The event message may include a packet header of thenetwork communication event. The method may include synchronizing aclock of at least the first satellite device and a clock of thecontroller device. The event message may include a timestamp derivedbased on a reading from the clock of the at least one satellite device.

Embodiments also include an apparatus for providing computer networkanalysis comprising a processor coupled to a memory. The apparatus isconfigured to receive an event message, the event message based on atleast one network communication event monitored by a satellite device,determine an identity of at least one device communicating during thenetwork communication event, determine a network status based at leastin part on the identity of the at least one device, and provide thenetwork status via a management interface.

The event message may include a signal strength of the networkcommunication event and the apparatus may be further configured todetermine a location of the at least one device based at least in parton the signal strength. The event message may include a protocolidentifier. The apparatus may be further configured to identify a devicetype for the at least one device based at least in part on the eventmessage.

Embodiments also include a method for deduplicating event messagesduring a network analysis operation. The method includes receiving afirst event message comprising a sequence identifier from a firstsatellite device, in response to receiving the first event message,opening an event window with a predefined length, receiving at least onesecond event message comprising the sequence identifier from a secondsatellite device prior to closing the event window, determining that thetime period corresponding to the event window has elapsed, closing theevent window, combining the first event message and the at least onesecond event message to generate an aggregated message, and processingthe aggregated message to determine a network status.

The method may also include receiving a third event message comprisingthe sequence identifier, the third event message received subsequent toclosing the event window, processing the aggregated message to determinea network status, and discarding the third event message. The method mayinclude determining the predefined length by generating a calibrationmessage, transmitting the calibration message to the first satellitedevice and the second satellite device, receiving a calibration responsefrom the two or more satellite devices, the calibration responsecomprising a transmission timestamp, determining a latency for each ofthe first satellite device and the second satellite device based atleast in part on the transmission timestamp, and selecting thepredefined length based at least in part on a largest latency among thelatency for the first satellite device and the second satellite device.The method may include generating at least one time synchronizationmessage by the controller device, and transmitting the at least one timesynchronization message to the first satellite device and the secondsatellite device. The method may include receiving an additional eventmessage during a time in which the event window is opened, determiningthat the additional event message is associated with a sequenceidentifier other than the sequence identifier for the first eventmessage, and opening up an additional event window for the additionalevent message, the additional event window associated with the sequenceidentifier other than the sequence identifier for the first eventmessage. Each of the first event message and the second event messagemay be generated based on a same network communication event between atleast two network devices other than the first satellite device and thesecond satellite device. The aggregated message may include a firstsignal strength from the first event message and a second signalstrength from the second event message. The method may includedetermining a location of a transmitter of a network communication eventbased at least in part on the first signal strength and the secondsignal strength included in the aggregated message.

Embodiments also include an apparatus for providing network analysiscomprising a processor coupled to a memory. The apparatus is configuredto receive, by a controller device, a first event message comprising asequence identifier from a first satellite device, in response toreceiving the first event message, open an event window with apredefined length, receive at least one second event message comprisingthe sequence identifier from a second satellite device prior to closingthe event window, determine that the time period corresponding to theevent window has elapsed, close the event window, combine the firstevent message and the at least one second event message to generate anaggregated message, and process the aggregated message to determine anetwork status.

The apparatus may be further configured to receive a third event messagecomprising the sequence identifier, the third event message receivedsubsequent to closing the event window, process the aggregated messageto determine a network status, and discard the third event message. Theapparatus may be further configured to generate a calibration message,transmit the calibration message to the first satellite device and thesecond satellite device, receive a calibration response from the two ormore satellite devices, the calibration response comprising atransmission timestamp, determine a latency for each of the firstsatellite device and the second satellite device based at least in parton the transmission timestamp, and select the predefined length based atleast in part on a largest latency among the latency for the firstsatellite device and the second satellite device. The apparatus may befurther configured to generate at least one time synchronization messageby the controller device, and transmit the at least one timesynchronization message to the first satellite device and the secondsatellite device. The apparatus may be further configured to receive anadditional event message during a time in which the event window isopened, determine that the additional event message is associated with asequence identifier other than the sequence identifier for the firstevent message, and open up an additional event window for the additionalevent message, the additional event window associated with the sequenceidentifier other than the sequence identifier for the first eventmessage. Each of the first event message and the second event messagemay be generated based on a same network communication event between atleast two network devices other than the first satellite device and thesecond satellite device. The aggregated message may include a firstsignal strength from the first event message and a second signalstrength from the second event message.

The apparatus may be further configured to determine a location of atransmitter of a network communication event based at least in part onthe first signal strength and the second signal strength included in theaggregated message.

Embodiments also include a non-transitory computer readable storagemedium comprising program instructions that, when executed by aprocessor, cause the processor to deduplicate event messages during anetwork analysis operation by at least receiving a first event messagecomprising a sequence identifier from a first satellite device, inresponse to receiving the first event message, opening an event windowwith a predefined length, receiving at least one second event messagecomprising the sequence identifier from a second satellite device priorto closing the event window, determining that the time periodcorresponding to the event window has elapsed, closing the event window,combining the first event message and the at least one second eventmessage to generate an aggregated message, and processing the aggregatedmessage to determine a network status.

The instructions may further cause the processor to receive a thirdevent message comprising the sequence identifier, the third eventmessage received subsequent to closing the event window, process theaggregated message to determine a network status, and discard the thirdevent message. In some embodiments, the instructions may further causethe processor to generate a calibration message, transmit thecalibration message to the first satellite device and the secondsatellite device, receive a calibration response from the two or moresatellite devices, the calibration response comprising a transmissiontimestamp, determine a latency for each of the first satellite deviceand the second satellite device based at least in part on thetransmission timestamp, and select the predefined length based at leastin part on a largest latency among the latency for the first satellitedevice and the second satellite device. In some embodiments, theinstructions may further cause the processor to generate at least onetime synchronization message by the controller device, and transmit theat least one time synchronization message to the first satellite deviceand the second satellite device.

Another embodiment includes a method for providing network security in anetwork analysis system. The method includes detecting a loss of aprimary power source in a satellite device of the network analysissystem, in response to the loss of the primary power source, activatinga redundant power supply of the satellite device, and in response toactivating the redundant power supply, disabling a visual indicator of apowered status coupled to the satellite device.

Another embodiment includes a method for providing a network analysissystem. The method includes receiving, at a controller, an event messagefrom a satellite device, the event message comprising content based on afirst network communication event between a first network device and asecond network device, processing, by a network analysis component ofthe controller, the event message to determine a network status, whereinthe network status comprises an indicator of the presence of each of thefirst network device and the second network device, determining, by arules engine component of the controller, that the second network deviceis unauthorized, in response to determining that the second networkdevice is unauthorized, generating a notification, by the rules enginecomponent, and causing the notification to be displayed via a managementinterface.

Yet another embodiment includes an apparatus for providing a networkanalysis system. The apparatus includes a network analysis circuitrycomponent configured to receive an event message from a satellitedevice, the event message comprising content based on a first networkcommunication event between a first network device and a second networkdevice, and process the event message to determine a network status,wherein the network status comprises an indicator of the presence ofeach of the first network device and the second network device. Theapparatus also includes a device management circuitry componentconfigured to determine, that the second network device is unauthorized,and in response to determining that the second network device isunauthorized, generate a notification, and a remote management circuitrycomponent configured to cause the notification to be displayed via amanagement interface.

Yet another embodiment includes an apparatus for providing a networkanalysis system. The apparatus includes a network analysis circuitrycomponent configured to receive an event message from a satellitedevice, the event message comprising content based on a first networkcommunication event between a first network device and a second networkdevice, process the event message to determine a network status, whereinthe network status comprises an indicator of the presence of each of thefirst network device and the second network device, and determine alocation of a transmitter of the first network communication event basedat least in part on the event message. The apparatus also includes adevice management circuitry component configured to determine that thesecond network device is unauthorized, and in response to determiningthat the second network device is unauthorized, generate a notificationto a camera device, wherein the notification comprises an instruction todirect the camera device to the location of the transmitter of the firstnetwork communication event, and transmit the notification to the cameradevice.

The above summary is provided merely for purposes of summarizing someexample embodiments to provide a basic understanding of some aspects ofthe invention. Accordingly, it will be appreciated that theabove-described embodiments are merely examples and should not beconstrued to narrow the scope or spirit of the invention in any way. Itwill be appreciated that the scope of the invention encompasses manypotential embodiments in addition to those here summarized, some ofwhich will be further described below.

BRIEF DESCRIPTION OF THE DRAWINGS

Having thus described certain example embodiments of the presentdisclosure in general terms, reference will now be made to theaccompanying drawings, which are not necessarily drawn to scale, andwherein:

FIG. 1 illustrates an example network within which embodiments of thepresent invention may operate;

FIG. 2 illustrates a block diagram depicting an example of a controllerdevice for implementing a network analysis system using special-purposecircuitry in accordance with some example embodiments of the presentinvention;

FIG. 3 illustrates a block diagram depicting an example of a satellitedevice for implementing a network analysis system using special purposecircuitry in accordance with some example embodiments of the presentinvention;

FIG. 4 illustrates an example of interconnectivity between components ofa network analysis system and a home network in accordance with someembodiments of the present invention;

FIG. 5 illustrates an example of a network architecture employing anetwork analysis system in accordance with some embodiments of thepresent invention;

FIG. 6 illustrates an example of a premises map in accordance with someembodiments of the present invention;

FIG. 7 illustrates an example of a data flow interaction amongcomponents of a network analysis system in accordance with someembodiments of the present invention;

FIG. 8 illustrates an example of interactions among logical componentsof a controller device in accordance with some embodiments of thepresent invention;

FIG. 9 illustrates an example of an interface for interacting with anetwork analysis system in accordance with some embodiments of thepresent invention;

FIG. 10 illustrates a flow diagram depicting an example of a method formonitoring network communications using a satellite device in accordancewith some embodiments of the present invention;

FIG. 11 illustrates a flow diagram depicting an example of a method forinitializing satellite devices with a network analysis system inaccordance with some embodiments of the present invention;

FIG. 12 illustrates a flow diagram depicting an example of a method forreceiving network communication events from satellite devices inaccordance with some embodiments of the present invention;

FIG. 13 illustrates a flow diagram depicting an example of a method forgenerating a premises map using a network analysis system in accordancewith some embodiments of the present invention;

FIG. 14 illustrates a flow diagram depicting an example of a method forgenerating network metadata using a network analysis system inaccordance with some embodiments of the present invention;

FIG. 15 illustrates a flow diagram depicting an example of a method forusing a rules engine to generate notifications using a network analysissystem in accordance with embodiments of the present invention;

FIG. 16 illustrates a flow diagram depicting an example of a method foremploying tamper-proof security of a satellite device in accordance withsome embodiments of the present invention; and

FIG. 17 illustrates a flow diagram depicting an example of a method forusing a network analysis system in conjunction with a camera device inaccordance with embodiments of the present invention.

DETAILED DESCRIPTION Overview

Various embodiments of the present invention are directed to improvedapparatuses, methods, and computer readable media for providing anetwork analysis system. In this regard, embodiments may electronicallydetect the presence of devices on a home network and perform monitoringand management functions related to the detected devices. The monitoringfunctions may include monitoring the type and amount of network trafficto each device, monitoring the manner in which each device connects tothe network, monitoring when a particular device connects to ordisconnects from the network, or the like. Management functions mayinclude enabling or disabling devices from connecting to the network,providing suggestions for device configuration changes to a user,alerting a user that a new device has connected, detecting andevaluating a network topology to suggest configuration changes,evaluating router security settings, and the like.

It should be readily appreciated that the embodiments of the methods,systems, devices, and apparatuses for providing a network analysissystem may be configured in various additional and alternative mannersto provide for monitoring and management of a home network based asdescribed herein.

Technical Underpinnings and Implementation of Exemplary Embodiments

As home networks have become more and more common, more and more devicesare capable of communicating on such networks. It is increasingly commonfor a given home network to include multiple devices in communicationwith one another via both wired and wireless communication mechanisms.Such devices may include not only common networking components such asrouters and switches, but also “smart” televisions, home theatersystems, printers, laptop computers, wearables, desktop computers,tablet computers, smartphones, and more. However, as more and moredevices connect to a given network, detection and management of suchdevices may become increasingly complicated. Users may not always beable to easily determine whether a given connected device is authorized,or whether such a device is a rogue device that has circumvented networksecurity. To address these concerns, the inventors have developedtechniques, systems, and devices for detecting, monitoring, and managingdevices connected to a home network via a digital concierge device.

Furthermore, the inventors have realized that even devices that do notcompletely “connect” (e.g., receive an assigned Internet Protocoladdress) to a network may still be detected by identifying connectionrequests and resource requests performed by such devices. The inventorshave determined that it is possible to use this data and other networkdata to perform management and logging functions to inform users ofvarious events. For example, embodiments of the present invention maydetect the presence of an unauthorized device in proximity to thenetwork and alert a user of the presence of the device. Otherembodiments may log when authorized devices connect and disconnect fromthe network, such as to provide information as to when a child returnshome after a curfew. Yet further embodiments may identify when anauthorized device connects at or around the same time as an unauthorizeddevice, indicating the presence of another person beside the user of theauthorized device.

To this end, embodiments of the present invention may constantly monitornetwork activity for new devices entering into communication with a homenetwork. This monitoring may be performed by various wired and wirelessinterfaces. For example, embodiments of the present invention mayinclude a wireless antenna for monitoring wireless communications, and awired network connection for monitoring data transmitted over a wirednetwork. In some embodiments, a digital concierge may be located in thenetwork topology between a router and the rest of the network or betweenthe router and the Internet in order to monitor traffic flowing to orfrom the router.

Embodiments may monitor connectivity of devices and performance of thedevices on the network to determine if each device is communicatingoptimally with other devices and with the internet.

Some embodiments may triangulate performance from multiple devices todetermine optimal network speeds to support each device, such as byautomatically implementing network Quality of Service (QoS) settings orby suggesting changes to a network topology to a user. Embodiments mayfurther detect a wired and wireless topology (e.g., the connectioninfrastructure by which devices communicate with one another), evaluatethe topology to determine possible performance optimization, and suggestthe possible performance optimizations to the users. In someembodiments, the digital concierge may automatically make suchoptimizations by altering configuration settings on various devicescoupled to the network. Embodiments may also interrogate a home routerto determine whether the home router is configured in a proper securityposture, that the router is properly updated with the latest softwareand firmware.

Some embodiments may implement a device detection perimeter (e.g., a“geo-fence”) by detecting the presence of any device that attemptscommunication with a home network. Such detection may be performed at alow network layer, such as at the Open Systems Interconnection Modellayer-2 “data link” layer, by sniffing devices that come into range of awireless router and generate network requests, such as dynamic hostconfiguration protocol (DHCP) requests or internet protocol version 6(IPV6) router discovery packets. Embodiments may detect devices andalter administrators of such detected devices and monitor the activityof such devices as long as such devices are detectable on the homenetwork. It should be appreciated that embodiments may not require suchdevices to acquire routable (e.g., IP) addresses on the network, andsuch activity may be monitored based only upon lower levelcommunications such as the OSI layer-2 communications described above.Device detection in this manner may be employed to support various usecases, including but not limited to detection of when a user enters orleaves a room of the household, detection of when a user returns homefrom work, school, or a night out, detection of an unauthorized deviceat an unusual time (e.g., after 2 am), or the like. Such use cases maybe employed to, for example, track when a child returns home aftercurfew, determine when a child has a visitor in their room for more thana threshold amount of time, detect intruders after dark, or the like.Various actions may be taken in response to detection of thesescenarios, including notifying a particular user or administrator,activating a home security system, or the like.

Some embodiments may provide low cost, small devices to capture networktraffic and relay such traffic to a central location for processing andanalysis. For example, some embodiments may include a “Raspberry Pi”device. In some embodiments, removal of a power source may cause thedevice to disable onboard light emitting diodes (LEDs) but allow thedevice to continue operating using battery power. In some embodiments,multiple such devices may be employed to triangulate the position of aparticular network device, or such devices may be employed in parallelfor redundancy in the event of a failure or intentional disconnection byan individual attempting to defeat the system.

Embodiments may also identify when known devices (e.g., previouslydetected devices) have been absent from a network for a period of time.In such cases, embodiments may generate a notification allowing a userto indicate whether the device has been sold, has been removed fromservice, has broken, or the like. In some cases, embodiments mayidentify a resale value of a device that has not connected for a periodof time, and assist a user with reselling the unused device such as byproviding an interface for facilitating shipping of the device to adepository and paying the user for the device.

Embodiments may also provide systems and techniques for managing devicewarranty information. For example, embodiments may provide an interfacefor the user to indicate which detected devices are owned by the user,when such devices were purchased, and when device warranties expire.Embodiments may also allow for specification by the user of thecircumstances under which the device was purchased (e.g., whether aparticular credit card was used or whether the user purchased anextended warranty plan) and automatically update warranty information.For example, embodiments may detect that the user used a credit cardwith a benefit that doubles a warranty upon purchasing a device (e.g.,by monitoring user transaction data, such as by an online banking orfinancial service aggregation system, or by allowing the user to selectwhich credit card they used) and automatically update warrantyinformation for the device to reflect the doubled period. Embodimentsmay also notify the user of a mechanism for submitting a warranty claim(e.g., by providing a phone number or contact information), or provide acustomer service representative interface to initiate the claim.Embodiments may also notify the user of events such as product recalls,free services, and/or other services that are available for devicesdetected on the network (e.g., a wiring protection plan that offersprotection for any devices connected to a covered device).

Some embodiments may allow for information about the attached devices tobe communicated for the purpose of providing warranties or serviceplans. For example, information may be gathered about the devicesconnected to a user's home network and communicated to a warranty orinsurance provider to offer the user a warranty or insurance package tocover one or more of the detected devices. In some embodiments, the usermay be provided with a discount based on the number of devices or typeof devices covered by the offered warranty or insurance.

In order to implement the improved systems described herein, theinventors have identified a variety of data sources and processingtechniques and algorithms that may be employed to support detection,monitoring, and management of devices on a home network. To this end,the inventors have conceived of a variety of communications techniques,application programming interfaces, and data interfaces for obtainingsuch data. By employing these improved techniques, the inventors havereduced the processing overhead, number of applications, and number ofman-hours necessary to implement such systems. As a result, exampleembodiments of the present invention provide the technical benefit of aflexible, streamlined system for evaluating, managing, and monitoring ahome network and attached devices. The inventors have also developedsystems, methods, and devices for network traffic monitoring andgeneration of network analytics. Such systems, methods, and devices maybe used to improve network performance by identifying networkbottlenecks, monitoring for network security breaches, and suggestingand/or implementing connectivity changes of the network.

Additionally, the inventors have created new interfaces, methods, andtechniques for accessing home network data and managing home networksand attached devices in a straightforward, flexible manner. Theseimproved interfaces reduce the amount of user input required to view andmanage a home network by organizing information in a novel way. As such,embodiments of the present invention also provide the technical benefitof an improved display and user interface for detecting devices incommunication with a home network, and managing and monitoring the homenetwork and/or attached devices.

System Architecture

Methods, apparatuses, and computer program products of the presentinvention may be embodied by any of a variety of devices. For example,the method, apparatus, and computer program product of an exampleembodiment may be embodied by a networked device, such as a server orother network entity, configured to communicate with one or moredevices, such as one or more client devices. Additionally oralternatively, the computing device may include fixed computing devices,such as a personal computer or a computer workstation. Still further,example embodiments may be embodied by any of a variety of mobileterminals, such as a portable digital assistant (PDA), mobile telephone,smartphone, laptop computer, tablet computer, or any combination of theaforementioned devices.

In this regard, FIG. 1 discloses an example computing system withinwhich embodiments of the present invention may operate. A home network104 may include a plurality of satellite devices 108 and a plurality ofnetwork devices 110 in communication via the network 104 (e.g., a homenetwork with one or more routers). A controller device 102 may alsocommunicate with the network 104 to detect, monitor, and manage thenetwork devices. The satellite devices 108 may notify the controller 102of the occurrence of network events, such as new network devices 110joining the network, communicating on the network, leaving the network,or the like. Although the instant example embodiment is described withrespect to a system incorporating both satellite devices and acontroller device, it should be appreciated that in some embodimentssome or all of the functionality of the satellite device may beintegrated within the controller device. For example, a controllerdevice 102 may monitor network communication events in the same manneras described herein with respect to the satellite device 108. Inembodiments where a limited physical area is monitored (e.g., anapartment), the use of satellite devices may thus be unnecessary toachieve full coverage for monitoring of network communications. A router106 may facilitate a connection to the Internet for the controller 102and the network devices 108. Although the controller 102 is depicted inFIG. 1 as communicating with the network separately from the router 106,it should be appreciated that some embodiments may feature the router106 connecting through the controller 102 to facilitate monitoring oftraffic on the network by the controller 102.

In some embodiments, one or more of the network devices 108 maycommunicate with the controller 102 to receive data about the network104 and connected devices 102, 106, 108. For example, an “app” executingon a user's smartphone may interface with the controller 102 to providethe user with information about connected devices, network topology,suggested optimizations, and the like. The app may also provide the userwith an interface to control the operation of the controller 102 (e.g.,manage configuration settings for device detection, monitoring, andmanagement), characteristics of the network (e.g., QoS settings, subnetconfigurations, address assignment settings), or other network devices108.

Example of a Controller Apparatus for Implementing Embodiments of thePresent Invention

The controller device 102 may be embodied by one or more computingsystems, such as the apparatus 200 depicted in FIG. 2. As illustrated inFIG. 2, the apparatus 200 may include a processor 202, a memory 204,input/output circuitry 206, communications circuitry 208, networkanalysis circuitry 210, device management circuitry 212, and remotemanagement circuitry 214. The apparatus 200 may be configured to executethe operations described above with respect to FIG. 1. Although thesecomponents 202-214 are described with respect to functional limitations,it should be understood that the particular implementations necessarilyinclude the use of particular hardware. It should also be understoodthat certain of these components 202-214 may include similar or commonhardware. For example, two sets of circuitry may both leverage use ofthe same processor, network interface, storage medium, or the like toperform their associated functions, such that duplicate hardware is notrequired for each set of circuitry. The use of the term “circuitry” asused herein with respect to components of the apparatus should thereforebe understood to include particular hardware configured to perform thefunctions associated with the particular circuitry as described herein.

The term “circuitry” should be understood broadly to include hardwareand, in some embodiments, software for configuring the hardware. Forexample, in some embodiments, “circuitry” may include processingcircuitry, storage media, network interfaces, input/output devices, andthe like. In some embodiments, other elements of the apparatus 200 mayprovide or supplement the functionality of particular circuitry. Forexample, the processor 202 may provide processing functionality, thememory 204 may provide storage functionality, the communicationscircuitry 208 may provide network interface functionality, and the like.

In some embodiments, the processor 202 (and/or co-processor or any otherprocessing circuitry assisting or otherwise associated with theprocessor) may be in communication with the memory 204 via a bus forpassing information among components of the apparatus. The memory 204may be non-transitory and may include, for example, one or more volatileand/or non-volatile memories. In other words, for example, the memorymay be an electronic storage device (e.g., a computer readable storagemedium). The memory 204 may be configured to store information, data,content, applications, instructions, or the like, for enabling theapparatus to carry out various functions in accordance with exampleembodiments of the present invention.

The processor 202 may be embodied in a number of different ways and may,for example, include one or more processing devices configured toperform independently. Additionally or alternatively, the processor mayinclude one or more processors configured in tandem via a bus to enableindependent execution of instructions, pipelining, and/ormultithreading. The use of the term “processing circuitry” may beunderstood to include a single core processor, a multi-core processor,multiple processors internal to the apparatus, and/or remote or “cloud”processors.

In an example embodiment, the processor 202 may be configured to executeinstructions stored in the memory 204 or otherwise accessible to theprocessor. Alternatively or additionally, the processor may beconfigured to execute hard-coded functionality. As such, whetherconfigured by hardware or software methods, or by a combination thereof,the processor may represent an entity (e.g., physically embodied incircuitry) capable of performing operations according to an embodimentof the present invention while configured accordingly. Alternatively, asanother example, when the processor is embodied as an executor ofsoftware instructions, the instructions may specifically configure theprocessor to perform the algorithms and/or operations described hereinwhen the instructions are executed.

In some embodiments, the apparatus 200 may include input/outputcircuitry 206 that may, in turn, be in communication with processor 202to provide output to the user and, in some embodiments, to receive anindication of a user input. The input/output circuitry 206 may comprisea user interface and may include a display and may comprise a web userinterface, a mobile application, a client device, a kiosk, or the like.In some embodiments, the input/output circuitry 206 may also include akeyboard, a mouse, a joystick, a touch screen, touch areas, soft keys, amicrophone, a speaker, or other input/output mechanisms. The processorand/or user interface circuitry comprising the processor may beconfigured to control one or more functions of one or more userinterface elements through computer program instructions (e.g., softwareand/or firmware) stored on a memory accessible to the processor (e.g.,memory 204, and/or the like).

The communications circuitry 208 may be any means such as a device orcircuitry embodied in either hardware or a combination of hardware andsoftware that is configured to receive and/or transmit data from/to anetwork and/or any other device, circuitry, or module in communicationwith the apparatus 200. In this regard, the communications circuitry 208may include, for example, a network interface for enablingcommunications with a wired or wireless communication network. Forexample, the communications circuitry 208 may include one or morenetwork interface cards, antennae, buses, switches, routers, modems, andsupporting hardware and/or software, or any other device suitable forenabling communications via a network. Additionally or alternatively,the communication interface may include the circuitry for interactingwith the antenna(s) to cause transmission of signals via the antenna(s)or to handle receipt of signals received via the antenna(s).

The network analysis circuitry 210 includes hardware configured todetect devices on a network and monitor network conditions. For example,the network analysis circuitry 210 may interface with the communicationscircuitry 208 to detect particular network packets received on the homenetwork. For example, devices may be detected by analyzing the networkdata to detect DHCP requests, IPV6 router discovery packets, addressresolution protocol (ARP) data, or the like. The network analysiscircuitry 210 may also detect and monitor network bandwidth, networkconnection and disconnection events, IP conflicts, and the presence ofcertain types and quantities of data packets. In some embodiments thedevice detection circuitry 210 may detect network data in a“promiscuous” manner, where all packets are received and analyzed evenif the concierge device is not necessarily the intended recipient. Suchnetwork packets may be obtained directly from the communicationscircuitry 208, or stored on the apparatus 200 prior to analysis, such asvia the memory 204. Identification of devices from the network packetdata and analysis of the network may be performed by processingcircuitry, such as the processor 202, and detected devices may be storedin an electronic format in the memory 204. In some embodiments, thenetwork analysis circuitry 210 may generate electronic informationnotifying the device management circuitry 212 of newly detected devices,devices that have disconnected, a connection duration, a current networkstatus, or the like.

It should also be appreciated that, in some embodiments, the networkanalysis circuitry 210 may include a separate processor, speciallyconfigured field programmable gate array (FPGA), or application specificinterface circuit (ASIC) in addition to the processor 202 to detectdevices on the network. The network analysis circuitry 210 is thereforeimplemented using hardware components of the apparatus configured byeither hardware or software for implementing these planned functions.

The device management circuitry 212 includes hardware configured tomanage devices detected on the network and take appropriate action inresponse to certain criteria. To this end, the device managementcircuitry 212 may include a processor or processing circuitry, such asthe processor 202, to implement a rules engine or other application totake certain actions in response to detection of certain criteria. Forexample, the device management circuitry 212 may be responsible fortaking certain action in response to network conditions detected by thenetwork analysis circuitry 210. For example, the device managementcircuitry 212 may provide notifications to the user via a user interface(e.g., through the communications circuitry 208 or the input/outputcircuitry 206) provided by the apparatus 200. The device managementcircuitry 212 may also determine characteristics of the network based onthe data received from the network analysis circuitry 210 and provide auser with suggested optimizations or troubleshooting measures to addressany detected problems, improve performance, or the like. In this regard,the device management circuitry 212 may implement a rules engine orother decision-making component for taking appropriate action inresponse to particular network conditions. An example of such a rulesengine component is described further below with respect to FIG. 8. Thedevice management circuitry 212 may also identify types of devices basedon observed network traffic data. For example, the device managementcircuitry 212 may identify protocol types, device identifiers, and otherdevice information contained within network traffic headers for datasent to or from those devices to attempt to match the network trafficdata to known device types. As a result, the device management circuitry212 may, for example, determine that a particular device is a smartphone, tablet computer, wireless speaker, wireless mouse, “smart”appliance (e.g., refrigerator, washer, or dryer with networkconnectivity), or other device type.

The device management circuitry 212 may also maintain a data structureindicating which devices are detected. Device information may be storedwithin the data structure to indicate the device type, various networkmetrics associated with the device (e.g., bandwidth used, security logs,etc.) and whether the device is known and/or authorized. For example,when a new device is detected an interface may be presented to a user(e.g., as provided by the remote management circuitry 214) to name thedevice, indicate a device type, and/or indicate that the newly detecteddevice is authorized.

In yet further embodiments, the device management circuitry 212 may beoperable to detect when an unauthorized device has entered the network,to detect when a device has failed to connect by a particular time(e.g., a teenage child's smart phone has not connected to the homenetwork by a particular time associated with a curfew), or the like.Although the processor 202 may be employed to perform device management,it should also be appreciated that, in some embodiments, the devicemanagement circuitry 212 may include a separate processor, speciallyconfigured field programmable gate array (FPGA), or application specificinterface circuit (ASIC) to perform such tasks. The device managementcircuitry 212 is therefore implemented using hardware components of theapparatus configured by either hardware or software for implementingthese planned functions.

The remote management circuitry 214 includes hardware configured toprovide a remote “dashboard” type interface for visualizing datagenerated by the device management circuitry 212 and the networkanalysis circuitry 210. In this manner, the remote management circuitry214 may provide data via a local server application executing on theapparatus 200, or data may be provided to a remote computer (e.g., alocal router or a cloud-based implementation) to allow for viewing ofthe data generated by the apparatus 200. Such information may include,for example, data related to devices connected to the network, includingdevice identifications, network configuration settings, troubleshootingdata, warranty data (e.g., where device serial numbers are accessibleover the network), and the like. The remote management circuitry 214 mayalso include hardware configured for receiving input from a remoteinterface, such as configuration of one or more rules and notificationsassociated with a rules engine.

In some embodiments, the remote management circuitry 214 may alsoprovide an interface that allows for entry of warranty data. Forexample, the warranty management circuitry 214 may provide an interfaceallowing a user to enter warranty information for one or more devicesconnected to the network. Example warranty information may includewhether a particular device is owned by the user, where the userpurchased the device, the amount paid for the device, the payment methodused to purchase the device, the brand or benefits associated with acredit card used to purchase the device, or the like. In someembodiments, such warranty information may be provided by the userthrough a barcode scanner, through scanning a receipt, by allowing auser to input a SKU, or the like. Additionally or alternatively, in someembodiments, the remote management circuitry 214 may determine warrantyinformation directly from the one or more devices detected by thenetwork analysis circuitry 210.

In some embodiments, the remote management circuitry 214 mayautomatically register detected devices for warranty coverage with theirmanufacturer, or provide an interface to the user for doing so. In someembodiments, the remote management circuitry 214 may provide users withthe ability to purchase new or additional coverage based on whichdevices are detected. In some embodiments, the warranty coverage may beprovided as a “bundle” providing coverage on a plurality of the devicesattached to the network as detected by the network analysis circuitry210. Some embodiments of the invention may assist with determination ofthe value of one or more networked devices, and display those determinedvalues via an interface. For example, embodiments may determine themodel of particular devices, assess the condition of the particulardevices, and determine a value of the particular devices based on adatabase lookup using the model and condition. Some embodiments mayallow for sale or trade of these devices according to the determinedvalues. Some embodiments may allow trade-in of one or more devices inexchange for warranty coverage of other networked devices. For example,a user smartphone may have an identified value of $80, and embodimentsmay programmatically facilitate the trade-in of the device in exchangefor warranty coverage on, for example, another smartphone, a television,and a tablet computer identified on the home network.

In some embodiments, the remote management circuitry 214 may provide aninterface for sending or initiating a claim for a device that is coveredby a warranty. For example, the remote management circuitry 214 mayinclude an interface allowing a user to provide information to acustomer service representative. In some embodiments, such informationis automatically gathered and/or generated by the apparatus 200,obviating the need for the user to enter such information in aninterface.

The remote management circuitry 214 may perform these functions usingprocessing circuitry, such as the processor 202. Although the processor202 may be employed to perform remote management functions, it shouldalso be appreciated that, in some embodiments, the remote managementcircuitry 214 may include a separate processor, specially configuredfield programmable gate array (FPGA), or application specific interfacecircuit (ASIC) to perform such tasks. The remote management circuitry214 is therefore implemented using hardware components of the apparatusconfigured by either hardware or software for implementing these plannedfunctions.

As will be appreciated, any such computer program instructions and/orother type of code may be loaded onto a computer, processor or otherprogrammable apparatus's circuitry to produce a machine, such that thecomputer, processor other programmable circuitry that execute the codeon the machine create the means for implementing various functions,including those described herein.

It is also noted that all or some of the information presented byexample interfaces described herein can be based on data that isreceived, generated and/or maintained by one or more components ofapparatus 200. In some embodiments, one or more external systems (suchas a remote cloud computing and/or data storage system) may also beleveraged to provide at least some of the functionality discussedherein.

Example of a Satellite Apparatus for Implementing Embodiments of thePresent Invention

The satellite device 108 may be embodied by one or more computingsystems, such as the apparatus 300 depicted in FIG. 3. As describedabove, a satellite device may be one of a plurality of devices spreadabout a physical area to gather data about a network to be reported to acontroller. In this manner, the satellite device may be configured topassively listen to network traffic on various frequency bands (e.g.,the 802.11 protocol suite, Bluetooth, ZigBee, and other wirelessprotocols) and to detect communication events occurring on the network.Communication events may be reported to a controller, such as thecontroller described above with respect to FIGS. 1 and 2. As illustratedin FIG. 3, the apparatus 300 may include a processor 302, a memory 304,input/output circuitry 306, communications circuitry 308, networkmonitoring circuitry 310, controller interface circuitry 312, and powermanagement circuitry 314.

Although these components 302-314 are described with respect tofunctional limitations, it should be understood that the particularimplementations necessarily include the use of particular hardware. Itshould also be understood that certain of these components 302-314 mayinclude similar or common hardware. For example, two sets of circuitrymay both leverage use of the same processor, network interface, storagemedium, or the like to perform their associated functions, such thatduplicate hardware is not required for each set of circuitry. The use ofthe term “circuitry” as used herein with respect to components of theapparatus should therefore be understood to include particular hardwareconfigured to perform the functions associated with the particularcircuitry as described herein.

The processor 302, memory 304, and input/output circuitry 306 may beconfigured similarly to as described above with respect to FIG. 2, andduplicate description is omitted in the interests of brevity.

The communications circuitry 308 of the apparatus 300 may also beimplemented similarly to the communications circuitry 208 of theapparatus 200. However, it should be appreciated that, in someembodiments, the communications circuitry 308 may include additional oralternative hardware configured to detect radio frequency transmissionson various frequency bands and according to various wireless protocols.Such hardware may be configured to detect communication events happeningin proximity to the apparatus 300 and to notify the network monitoringcircuitry 310.

The network monitoring circuitry 310 includes hardware configured toidentify network communication events. These network communicationevents may be detected through the use of the communications circuitry308, and then forwarded to the controller interface circuitry 312 tomanage transmission to a controller device. Network communication eventsmay include any transmission detected by the apparatus 300. For example,the apparatus 300 may detect transmissions from devices announcing theirpresence to all devices in proximity, devices joining (or attempting tojoin) a wireless network, devices requesting and receiving an InternetProtocol Address, devices in communication with one another (e.g.,transmission of data packets), or the like. In some embodiments, thenetwork monitoring circuitry 310 may forward all received networkcommunication events to a controller, while in other embodiments thenetwork monitoring circuitry 310 may strip out message data payloads inorder to reduce the amount of bandwidth consumed in transmitting thenetwork communication events to the controller. For example, eventmessages sent to the controller to notify the controller of the networkcommunication events may include only a header of the detected networkcommunication event.

The controller interface circuitry 312 includes hardware configured tonotify a controller of network communication events through thetransmission of event messages. The controller interface circuitry 312may also perform other communications with the controller, such asinitial pairing between a controller and the apparatus 300. Thecontroller interface circuitry 312 may, in some embodiments, communicatewith the controller via various wireless network protocols, includingbut not limited to the 802.11 suite, Bluetooth, ZigBee, and/or the like.The controller interface circuitry 312 may construct event messagesbased on network communication events detected by the network monitoringcircuitry 310. An example of a process for generating and further belowwith respect to FIG. 7. The controller interface circuitry 312 mayutilize components of the communications circuitry 308 to effect thetransmission of the event messages to the controller, though it shouldalso be appreciated that in some embodiments the controller interfacecircuitry 312, the network monitoring circuitry 310, and thecommunications circuitry 308 may each include standalone hardware. Forexample, different antennae, transceivers, and the like may be employedfor listening for various types of network traffic to identify networkcommunication events occurring between various devices on the networkthan hardware utilized to communicate between the apparatus 300 and thecontroller.

The power management circuitry 314 includes hardware configured tomanage a process of providing power to the apparatus 300. In particular,the power management circuitry 314 includes hardware configured toenable a primary power source (e.g., Alternating Current (AC) power) anda backup power source (e.g., a battery backup). Since a network analysissystem incorporating satellite devices such as the apparatus 300 mayfrequently be employed for security purposes (e.g., to detect thepresence of unauthorized devices and/or unauthorized network usage),satellite devices may be subject to attempts to disable theirfunctionality by removing a power source, such as being unplugged fromthe wall. In order to continue to provide the functionality of thedevice even when unplugged, the power management circuitry 314 mayfacilitate failover to a backup power source, such as a battery. In someembodiments, the apparatus 300 may be designed as a low power devicethat is capable of operating for an extended period of time off batterypower (e.g., 24 hours). Upon transitioning to the battery backup, thepower management circuitry 314 may disable external power indicators(e.g., a light emitting diode (LED) or other visual power indicator), togive the appearance that the apparatus 300 has been powered off.Disabling such external power indicators may cause a wrong-doer tobelieve that the device has been disabled, and also provide the benefitof reducing power consumption of the device while it is operating onbattery power.

As will be appreciated, any such computer program instructions and/orother type of code may be loaded onto a computer, processor or otherprogrammable apparatus's circuitry to produce a machine, such that thecomputer, processor other programmable circuitry that execute the codeon the machine create the means for implementing various functions,including those described herein with respect to the apparatus 200 andthe apparatus 300.

As described above and as will be appreciated based on this disclosure,embodiments of the present invention may be configured as methods,mobile devices, backend network devices, and the like. Accordingly,embodiments may comprise various means including entirely of hardware orany combination of software and hardware. Furthermore, embodiments maytake the form of a computer program product on at least onenon-transitory computer-readable storage medium having computer-readableprogram instructions (e.g., computer software) embodied in the storagemedium. Any suitable computer-readable storage medium may be utilizedincluding non-transitory hard disks, CD-ROMs, flash memory, opticalstorage devices, or magnetic storage devices.

Having now described apparatuses configured to implement and/or supportimplementation of various example embodiments, features of severalexample embodiments will now be described. It will be appreciated thatthe following features are non-limiting examples of features provided bysome example embodiments. Further, it will be appreciated thatembodiments are contemplated within the scope of disclosure thatimplement various subsets or combinations of the features furtherdescribed herein. Accordingly, it will be appreciated that some exampleembodiments may omit one or more of the following features and/orimplement variations of one or more of the following features.

Exemplary Network Architectures

FIG. 4 depicts an exemplary embodiment of a network architecture 400highlighting communications between components of a network analysissystem in accordance with embodiments of the present invention. Thenetwork architecture 400 includes a gateway router 410 in communicationwith a controller 402, a plurality of satellite devices 404-408, and aplurality of network devices 412-420. Each of the satellite devices404-408 may be configured to detect network communication events withina particular physical area. For example, a first satellite device 404may have a first detection area 422, a second satellite device 406 mayhave a second detection area 424, and a third satellite device may havea third detection area 426. Although only the satellite devices 404-408are illustrated as having detection areas, it should be appreciatedthat, in some embodiments, the controller 402 may also have a detectionarea for detecting network devices.

Each of the satellite devices 404-408 may be operable to detect networkcommunication events to and from network devices located within theirrespective detection areas by monitoring wireless communications. Upondetecting a network communication event, the satellite device 404-408may notify the controller 402 of the network communication event overthe network. The satellite devices 404-408 may transmit networkcommunications events to the controller through the use of the samenetwork upon which the network devices are communicating, a networkprovided by the gateway router 410. Alternately, in some embodiments thesatellite devices 404-408 may communicate the network communicationevents to the controller 402 via an alternate network that existsseparately from that provided by the gateway router (e.g., a meshnetwork containing the satellite devices and controller).

As described above, each of the satellite devices 404-408 may detectwireless network communication events occurring to and from networkdevices 412-420 located within their detection areas. For example, asdepicted in FIG. 4, a satellite device 404 for a first detection area(dubbed “zone 1”) 422 may detect network communication events related tonetwork devices 412, 414, and 416. A satellite device 406 for a seconddetection area (dubbed “zone 2”) 424 may detect network communicationevents related to network devices 414, 416, and 418. A satellite device408 for a third detection area (dubbed “zone 3”) 426 may detect networkcommunication events related to the network device 420.

The satellite devices 404-408 may be configured to listen“promiscuously” such that they identify local wireless traffic in theirphysical area even for devices that are not associated with the networkby which the satellite devices 404-408 communicate with the controller402 and/or gateway router 410. For example, the satellite devices404-408 may listen for various transmissions including communicationsvia other networks (e.g., cellular networks, Bluetooth, other Wi-Finetworks). For example, the satellite devices 404-408 may listen forinitial connection requests, device identification signals, and othertransmissions in addition to communications that occur on the samenetwork by which the satellite devices 404-408 communicate with thecontroller 402 and/or gateway router 410.

Since network devices 414 and 416 are located within two detectionareas, embodiments may attempt to triangulate the location of thosedevices by providing signal strength data related to each device to thecontroller 402 and using received signal strength indicator (RSSI)location detection techniques. It should also be appreciated that evendevices that are only within a single detection area may have a locationdetermined based on RSSI techniques, though more data points receivedfrom overlapping detection areas may improve the accuracy of thelocation measurement.

The gateway router 410 may be any device configured to enable networkcommunications among multiple network devices. Although the instantexamples are generally described with respect to wireless devices, itshould be appreciated that some embodiments may relate to wired devicesin communication over a network and that various network analysisservices may also be employed for these wired devices, though it shouldalso be appreciated that certain functionalities of the instantembodiments (e.g., location tracking based on RSSI) are predicated onthe use of wireless devices. The gateway router 410 may thus includehardware configured to provide wired and/or wireless communications. Insome embodiments, the gateway router 410 provides for networkcommunication between the satellite devices 404-408 and the controller402, while in other embodiments the satellite devices 404-408 maycommunicate with the controller directly. In some embodiments, thefunctionality of the controller 402 may be integrated with thefunctionality of the gateway router 402, such that a single physicaldevice both enables network communications among the devices of thenetwork and also performs network analysis functions as described hereinwith respect to the various embodiments of the present invention.

FIG. 5 depicts an example of an additional embodiment of a networkarchitecture, where a controller 502 is physically disposed between agateway router 510 and the Internet or other wide area network (WAN)514. As described above, one or more network devices 512 may communicateover a network established by the gateway router 510, and a set ofsatellite devices 504-508 may detect network communication events andcommunicate those network communication events to the gateway 502.

The controller 502 is disposed between the gateway router 510 and theInternet/WAN 514 such that network traffic from the gateway router 510to computing nodes located on the Internet/WAN 514 passes through thecontroller 502. Generally, this may be accomplished through the use of aphysical cable between the controller 502 and the gateway router 510 andanother cable between the controller 502 and a modem, fiber endpoint, orother Internet/WAN access device, though in some embodiments such apass-through may be implemented in software (e.g., through the use ofrouting tables) or wirelessly (e.g., as a wireless relay).

Disposing the controller 502 in this manner advantageously ensures thatnetwork traffic from each of the network devices 512 can be monitoredand analyzed by the controller 502, even if the traffic occurs overwired connections that do not necessarily interact with a satellitedevice.

Alternately, in some embodiments a different device other than thecontroller 502 may be disposed between the gateway router 510 and theInternet/WAN 514. For example, a specially configured satellite devicemay include a ports for implementing a physical cable pass-through asdescribed above, and the specially configured satellite device maydetect network communication events and report event messages to thecontroller 502 in a similar manner to the other satellite devicesdescribed above.

Exemplary Premises Map

FIG. 6 illustrates an example use of a network analysis system togenerate a premises map 600 in accordance with some embodiments of thepresent invention. By disposing a series of satellite devices 604through a home, it may be possible to generate a map of network devicesthroughout the premises by taking into account the respective detectionareas of each satellite device and the network devices which are visibleto those satellite devices. The premises map 600 depicts a controller602, a series of satellite devices 604, a gateway router 606, and aplurality of network devices 608. The premises map 600 further depicts afloor plan of a building, such as a home, office, or the like.

To generate the premises map 600, embodiments may receive location datafor each satellite device 604 during an initial setup and/or calibrationof that satellite device. For example, a user may utilize an interfaceto draw a simple floor plan and indicate a location of each satellitedevice (e.g., through the placement of drag and drop icons) on aposition on the drawn floor plan corresponding to the position of thesatellite device in the building.

The premises map 600 may also illustrate detected relationships amongnetwork devices. For example, the premises map 600 may include icons,animations, or other visual displays indicating network connections ofparticular devices to particular routers or access points (e.g., in ascenario where a user has multiple wireless access points), or to showwired connections between network devices as detected by satellitedevices or through data provided by direct communication with networkrouters.

Exemplary Data Flow Among Components of a Network Analysis System

FIG. 7 depicts an example of data flow 700 among components of a networkanalysis system in accordance with some embodiments of the presentinvention. In particular, the data flow 700 illustrates how a networkdevice 706 may be monitored by one or more satellites 704 to identifynetwork communication events 708 associated with the network device 706.The satellites 704 may generate one or more event messages 710 based onthe network communication events and transmit the event messages to acontroller 702. The controller 702 may analyze the received eventmessages 710 to determine network status information 712. The controller702 may provide the network status information 712 to a managementinterface 714, such as a “dashboard” type interface that displays thestatus of each device connected to the network, troubleshootinginformation for those devices, warranty information for those devices, alocation for each device, and the like. The management interface 714 mayfurther provide controller configuration data 716 to the controller 702to configure the various functionalities of the controller. Suchfunctionality is described further below with respect to FIG. 8.

As noted above, the satellites 704 monitor network traffic in theirvicinity. In some embodiments where the satellites 704 include both awired and wireless interface, the satellites 704 may also monitornetwork traffic occurring on the wired interface. Network trafficdetected by the satellites 704 is monitored and used to generate aseries of event messages describing the traffic. For example, in someembodiments every detected network data packet or network request isused to generate a corresponding event message. This network traffic mayinclude, but is not necessarily limited to, Internet Protocol (IP)messages, Bonjour messages, Server Message Block (SMB) messages, and thelike. It should be appreciated that any type of message protocol thatcould be detected through wired or wireless interfaces of the satellites704 may serve as a basis for generation of an event message.

The event message 710 may include a variety of individual fields. Forexample, the event message 710 may include a signal strength field 718,a MAC address field 720, an event type field 722, a timestamp field 724,and an event payload field 726. The signal strength field 718 mayinclude the measured signal strength of the radio frequency transmissionthat carried the message. By including the signal strength field in theevent message 710, the controller 702 may be able to determine thedistance between the satellite 704 reporting the event message and thenetwork device 706 that originated in the message. In the case of wiredcommunications, the signal strength field 718 may be left blank orotherwise include a token or value (e.g., 0) to indicate that themessage was not received wirelessly.

The MAC address field 720 may include the MAC address of the originatingdevice. By including the MAC address of the originating device, theevent message 710 may indicate the network device that was the source ofthe network communication event to the controller 702.

The event type field 722 may include information describing theparticular protocol or subset of the particular protocol associated withthe network communication event. For example, the event type field 722may indicate that the network communication event is an IP message, or,more specifically, an IP address resolution protocol (ARP) message or aDynamic Host Configuration Protocol (DHCP) message, or the like.

The timestamp field 724 may include a sequence number or other timestampat which time the satellite 704 received the message. The timestampapplied by the satellite 704 may be synchronized with the controllerand/or other satellites to ensure that the internal clocks of eachcomponent device of the network analysis system (i.e., at least thesatellites and controller) are synchronized with one another. In thismanner, the timestamp may be used to identify duplicate messages, and todetermine a detection order among multiple satellites.

The event payload field 726 may include additional data regarding theevent, such as a copy of the data packet associated with the networkcommunication event. In some embodiments, the event payload field 726may not include the entire data packet, but instead just include thepacket header or another reduced subset of all data included in thepacket in order to conserve network bandwidth.

The event message 710 is provided to the controller 702, where thecontroller 702 processes the event message 710 to generate the networkstatus data 712 for output.

Exemplary Data Flow for Event Message Processing

FIG. 8 depicts an example of a data flow for processing event messagesusing an example of a controller 800 to generate network status data inaccordance with embodiments of the present invention. The controller 800may be, or may be configured similarly to, the apparatus 200 describedabove with respect to FIG. 2. The controller 800 includes a messageaggregator component 802, a network analyzer component 804, a messagemetadata storage component 805, a rules engine component 806, a premisesmapper component 808, and a management interface 810.

The message aggregator component 802 includes a service that functionsto receive event messages from one or more satellite devices asdescribed above. The message aggregator component 802 may function as acentralized source for asynchronously receiving event messages,deduplication of received events, summarizing of received eventmessages, and transferring summarized messages to the network analyzercomponent 804 for processing. In support of this functionality, themessage aggregator component 802 includes a high speed processing queueto support message intake and transfer in real-time. The messageaggregator component 802 may also implement a message reception windowfor received event messages to assist with message deduplication, andsynchronization across satellite devices. Examples of processes formanaging such a message reception window are described further belowwith respect to FIGS. 11-12. The message aggregator component 802 mayalso calibrate timing mechanisms across satellite devices with a timeclock maintained by the controller 800 to ensure consistent time stampinformation across all components of the network analysis system.

Once the message aggregator component 802 has received and deduplicatedevent messages, these aggregated event messages may be provided to thenetwork analyzer component 804 for processing. The network analyzercomponent 802 may examine the aggregated event messages to determine theprotocol and any particular message type of the event message. Duringprocessing, the aggregated event messages may be translated from anative protocol into a meta language that generically describes themessage, the purpose of the message (e.g., by mapping the message typeto a known message protocol), the sending device, the signal strength ofthe message, the intended recipient device, any message payload, and thelike. The message as translated into the meta language may be storedwithin the set (e.g., a database or data table) of message metadata 805.The set of message metadata 805 may be used for a variety of networkanalyses and/or metrics. For example, the message metadata 805 may beused as input to the rules engine component 806 to generatenotifications or take other actions based on particular statusinformation about the network as derived from the message metadata 805.

The rules engine component 806 may include a series of processes,threads, applications, or the like that monitor event messages and/or aset of message metadata to determine whether particular rule criteriahave been met by those event messages and/or set of message metadata.When criteria for a rule are met, particular action may be taken. Forexample, rules may generate notifications by email, as a mobile pushnotification, through an audio output device in a home, or by variousother notification techniques when a new, unknown device is detected.For example, when a previously unknown wireless device interrogates anetwork router to identify itself, a satellite device may generate anevent message regarding the network interaction, inform the controller800, and as a result of the message processing a message event may bestored in the set of message metadata 805 indicating the interrogation.The rules engine component 806 may maintain a list of known orpreviously authorized devices, and fire a rule to generate thenotification when a new interrogation occurs from a device that is noton the list of previously authorized devices.

Rules may generally be considered to include a set of criteria and oneor more actions to be taken in response to the criteria being met. Therules engine component 806 may allow for various criteria to be employedboth separately and in conjunction with one another. Examples of rulecriteria include, but are not limited to, detection of a previouslyknown device by a satellite, detection of Internet communications byparticular devices, detection of signal bit rates exceeding or droppingbelow particular thresholds, detection of a known device along with anunknown device, detection of a device at a particular location (e.g., ina particular room), detection of an out of date communication protocolor other indication that a software update is required for a particulardevice, detection that a previously known device has been absent fromthe network for a threshold amount of time, detection of expiration of adevice warranty (e.g., where a device serial number is detected andcross-referenced with an external warranty management system), or thelike.

Example actions that may be taken in response to having rule criteriamet include, but are not limited to, generating a notification tovarious external systems and/or devices (e.g., loudspeaker, television,smartphone, router management interface, etc.), initiating a trafficmonitoring operation between two or more devices, blocking a particulardevice (e.g., by notifying a router to block the device, such as throughan application programming interface), triggering a camera to bedirected to a particular location (e.g., in response to detecting anunknown device near an entry or exit based on location data), triggeringan offer to a user to purchase an obsolete or unused device (e.g., wherea device is previously known but has not been detected for a particularperiod of time), triggering a notification that a certain device isincompatible or sub-optimal based on the current network configuration,or the like. These actions may take the form of notifications generatedby the rules engine component 806 which are transmitted out to variousnetwork devices as described above.

The rules engine component 806 may also include a rule authoringcomponent that allows for specification of particular rule criteria andactions to be taken in response to those rule criteria. These rules maybe defined through the management interface 810.

The premises mapper component 808 is configured to generate avisualization of a local physical area monitored by the controller 800and attendant satellite devices and to illustrate the manner in whichnetwork devices are disposed and interact with that local physical area.The premises mapper component 808 receives a set of premises data which,combined with device location data generated by the network analyzercomponent 804 (e.g., through the use of RSSI readings), to generate thevisualization.

In some embodiments, the premises mapper component 808 may execute apremises mapping operation in conjunction with one or more user devices.For example, the premises mapper may instruct a user to traverse theirhome while executing a mapping application on a smartphone that servesto capture signal strength data for various static devices (e.g.,devices that are unlikely to move, such as routers or network-enabledfixtures) as the user walks through their home. In some embodiments, theuser may provide a floor plan or other physical data to serve as a guidefor the mapping operation. In some embodiments, the premises mappercomponent 808 may recommend particular locations for placement ofsatellite devices based on the results of the mapping operation.

The premises mapper component 808 may include an interface to allow auser to lay out a physical area (e.g., a perimeter and interior walls).The interface may also allow a user to select their location within thatphysical area and take a signal strength measurement to one or moreaccess points (e.g., routers, network range extenders, or the like) orsatellite devices. In some embodiments, if a signal strength receivedfrom one or more satellites fails to exceed a minimum threshold, then anotification of a recommendation to place a satellite device at theposition with the low signal strength may be provided via the interface.In some embodiments, the interface may recommend placement of satellitedevices at particular intervals (e.g., every 10 feet, 25 feet, or 50feet).

In some embodiments, a list of discovered devices may be provided asderived by the network analyzer component 804 for placement by a userwithin an interface. The placement may be designed to correspond to thephysical location of each detected device, which may be used within thevisualization to illustrate the known positions of devices and tocalibrate signal strength readings. In some embodiments, during amapping operation, a signal may be sent to satellite devices and/orother components of a network analysis system to cause those devices tobroadcast a particular signal (e.g., a “homing” signal).

By detecting signal strengths at various locations and providing thedetected signals to the premises mapping component 808, a set ofreference ranges may be detected for use in future RSSI device locationoperations.

Once the mapping operation is complete, the visualization may also beupdated to indicate the presence of “weak” signal coverage zones. Thisinformation may also be utilized in subsequent troubleshootingoperations to troubleshoot device performance by the network analysiscomponent.

The management interface 810 may provide an interface, such as aGraphical User Interface (GUI), that allows a user to view the status ofthe network as derived by the network analyzer component 804, a premisesmap as derived by the premises mapper component 808, and notificationsgenerated by the rules engine component 806. As noted above, themanagement interface 810 may also provide configuration data forcontrolling the operation of the controller 800, including but notlimited to rule definitions, identification of network devices, and thelike. The management interface 810 may, for example, provide an“information center” that shows the rate at which each device of thenetwork is communicating on the network, which devices are communicatingwith particular cloud services, which devices are communicating withother external computing nodes, and the like. In conjunction with therules engine, this network analysis data may be used to, for example,identify that a particular device is consuming large amounts ofbandwidth in the middle of the night (e.g., a child using a streamingvideo service on their smartphone after bedtime) or other unauthorizedor unexpected uses as defined within an established set of rulescriteria.

Embodiments may also be employed to implement geofencing systems, suchas to detect and log when particular devices (e.g., a child'ssmartphone) enter and exit detection range of the satellites.

Example of an Network Analysis Dashboard Interface

FIG. 9 depicts an illustration of an example of a dashboard interface900 for displaying network analysis data and other output generated by acontroller in accordance with embodiments of the present invention. Theinterface 900 includes icon representations for various devices detectedon a home network. Selection of particular devices (e.g., throughtouching or clicking on an icon) may display network metrics andstatistics associated with that device. The interface 900 may alsoinclude a series of interface controls to facilitate device discovery,editing of device data (e.g., to provide names or types for eachdetected device), and to access a user account. In some embodiments, auser account may include local credentials for accessing the controller,while in other embodiments the user account may provide a user withaccess to a remote server that receives data from the controller. Thisremote server may also provide an interface to access various other dataassociated with devices, such as by interfacing with manufacturersystems to manage device warranties (e.g., by identifying a warrantylength), by offering the user the ability to purchase accessories,products, service plans, or the like for identified devices throughthird party services, for offering troubleshooting services, or thelike.

The interface 900 may be displayed, for example, on an “app” executingon a user device such as a smartphone or tablet, through a serverapplication executing on the controller, or through a web interfacehosted on a remote server external to the user's network. In some cases,accessing the interface 900 may require accessing the user's networkdirectly (e.g., as an attached device), while in other cases theinterface 900 may be provided by an Internet routable system (e.g.,through a web server executing on the controller or through anexternally hosted site offered by a manufacturer of the controller).

Examples of Processes for Implementing a Network Analysis System

FIGS. 10-17 illustrate exemplary processes that may be employed by acontroller device and/or satellite device to implement functionality ofa network analysis system in accordance with embodiments of the presentinvention. These processes, and others, may be performed by, forexample, the apparatus 200 described above with respect to FIG. 2 and/orthe apparatus 300 described above with respect to FIG. 3, and inconjunction with the data flows and device interactions illustrated inFIGS. 4-8.

FIG. 10 illustrates a flow diagram depicting an example of a process1000 for detecting a network communication event and transmitting anevent message to a controller in accordance with embodiments of thepresent invention. The process 1000 serves as an example of a techniquefor detecting an event using a satellite device and causing transmissionof that event to a controller for use in a network analysis operation inaccordance with embodiments of the present invention.

At action 1002, one or more frequency bands are monitored for networktraffic. Although the instant example is given with respect tomonitoring of a wireless frequency band, it should be appreciated thatembodiments may also include monitoring wired connections. At action1004, a network communication event is detected on the monitoredfrequency band. As described above, the network communication event maybe any network communication that occurs in a manner that is detectableby a satellite device. In some embodiments, different satellite deviceshave different monitoring capabilities. For example, a given satellitedevice may be configured with radios to detect one or more of Bluetooth,ZigBee, 802.11 a/b/g/n/ac, or the like, while another satellite devicemay lack one or more of those capabilities. In this manner, a user mayselect which satellite devices are most appropriate for their own homenetwork configuration, especially in scenarios where unnecessary extrafunctionality results in more expensive hardware.

At action 1006, an event sequence number for the detected event isgenerated. The event sequence number may be generated as a result of orin conjunction with a timestamp value for the event. As described above,embodiments may synchronize clocks across the controller and satellitedevices, such that each device clock is expected to be within aparticular threshold time (e.g., <1 ms) of one another. The sequencenumber may thus be the timestamp of the message, or some combination ofa characteristic of the message (e.g., a message type, message payload,or the like) combined with the timestamp.

At action 1008, an event message is generated for the received networkcommunication event. As described above with respect to FIG. 7, theevent message may include various characteristics of the message alongwith the sequence number. At action 1010, the generated event message istransmitted to a controller device for further processing.

FIG. 11 illustrates a flow diagram depicting an example of a process1100 for initializing satellite devices using a controller device toenable the satellite devices and controller device to perform networkanalysis operations in accordance with embodiments of the presentinvention. The process 1100 may be performed, for example, when firstinitializing a controller and satellite devices together to establish apairing between each satellite and the controller. Alternatively, theprocess 1100 may also be performed when adding a new satellite to apreviously configured system. Initiating the process may include, forexample, pressing a physical button on each device to initiate a pairingoperation, so as to ensure that only devices belonging to the particularuser are paired to the controller to preserve user privacy. The process1100 may therefore be performed by the controller to establish an eventwindow to take into account signal attenuation, reflecting, andpropagation delay across different satellite devices when performingmessage deduplication for messages received from multiple satellitedevices and to account for slight differences in internal clocks of eachdevice. In some embodiments, the process 1100 may be performed atparticular intervals to ensure that synchronization is maintained acrossthe controller and satellite devices.

At action 1102, one or more local satellite devices are determined. Asmentioned above, local satellites may be determined by physicallypressing a button, flipping a switch, or otherwise interacting with asatellite to place it in pairing of initialization mode. Alternatively,a satellite device may automatically begin searching for a controllerwhen first powered on, or the satellite device may enter a pairing modebased on a programmatic instruction transmitted wirelessly to the deviceor through a direct wire connection.

At action 1104, the clocks between the detected satellites aresynchronized with one another and/or the controller. Synchronization maybe performed according to various time synchronization protocols,including but not limited to Network Time Protocol, Precision TimeProtocol, Clock Sampling Mutual Network Synchronization, or any otherprotocol sufficient for synchronizing clocks across multiple devices.

At action 1106, a satellite calibration operation is initiated. Thesatellite calibration operation may cause the satellite devices totransmit calibration signals comprising event messages to the controllerat known, expected intervals. For example, after synchronizing theclocks, the controller may notify the satellites to each begintransmitting event messages at a particular start time and subsequentlyat a particular interval.

At action 1108, the calibration signals are received by the controller,and the times at which the calibration signals are received are stored.At action 1110, the different in time between the expected arrival ofthe calibration signals and the actual time of arrival of thecalibration signals are used to determine an expected latency of messagetransmission time from the satellite devices to the controller. Thislatency may be utilized to calculate an event window time based on thesatellite device with the greatest latency. For example, if a latency of5 ms was measured for 3 satellite devices, and a latency of 10 ms for afourth device (likely due to the fourth device being further away fromthe controller), then the event window for a given message sequencenumber would be set at 10 ms to allow adequate time for an event messagemeasured by the fourth device to be sent back to the controller. Someembodiments may use alternative techniques or estimates to calculate alatency, such as doubling the latency to account for an instruction totransmit the calibration signal to be sent to the satellite prior toreceiving the response to the calibration signal.

FIG. 12 illustrates a flow chart depicting an example of a process 1200for using an event window to process event messages received fromsatellite devices in accordance with embodiments of the presentinvention. The process 1200 illustrates a technique employed by amessage aggregator component, such as the message aggregator component802 described above with respect to FIG. 8, to receive and aggregatemessages prior to forwarding those messages to a network analyzercomponent for further processing.

At action 1202, a first event message is received. In response toreceiving the first event message, a determination is made as to whetherthe event message is “new”, such as whether the event message has a newsequence number. If the event message is new, an event window is openedat action 1204. As described above with respect to FIG. 11, the lengthof the event window may be determined based on the signal propagationdelay from the highest latency satellite device employed within thenetwork analysis system.

At action 1206, subsequent event messages with the same content (e.g.,the same sequence number), and at action 1208 the event window is closedafter the allotted time has elapsed. In cases where multiple eventmessages are received, it may be possible to determine a signal strengthrelate to each satellite device that detected the message. In suchcases, RSSI location identification techniques may be employed todetermine an approximate location for the device that initiated themessage.

At action 1210, the event messages with the same content are summarizedinto a single event message with a single set of common data (e.g., themessage type and other data common across all instances of the message),and unique sets of content that is unique per satellite device, such asa signal strength measured by each satellite device. At action 1212, thesummarized event messages are provided as a single event for processing,such as by a network analyzer component 804 as described above withrespect to FIG. 8.

At action 1214, an additional event message with the same event content(e.g., the same sequence number) is received. However, since the eventwindow has closed, the additional event message is discarded at action1216, since the event message with that sequence number has already beenforwarded for processing. In this manner, embodiments avoid duplicateprocessing of the same event message, while still allowing multiplesatellite devices to report the same event message. In some embodiments,repeated reception of event messages after the event window has closedmay trigger a recalculation of the event window to decrease thelikelihood of event messages coming in after the window has closed,while in other cases if messages are only received near the end of theevent window very infrequently, then the event window may be shortenedto increase the speed with which messages are summarized and providedfor further processing.

FIG. 13 illustrates a flow diagram depicting a process 1300 forgenerating a visualization of a set of network devices in accordancewith some embodiments. The process 1300 provides for generation of avisualization of a plurality of devices on an interface corresponding toa physical layout of a home or other building. The location of deviceswithin the building may be determined based on measured signal strengthsin relation to satellite devices, based on a network topology determinedthrough communication with one or more networked devices, or throughvarious other techniques for network analysis in accordance withembodiments as described herein.

At action 1302, premises data is received. As described above withrespect to FIG. 6, the premises data may include a floor plan of abuilding, a drawing made on an interface provided for that purpose, orany other data that lays out the physical area corresponding to one ormore network devices and/or satellite devices and a controller. Ataction 1304, locations for one or more devices are determined based atleast in part on event messages received by satellite devices. Forexample, event messages may indicate the relative signal strengthmeasured by each satellite device, and it may be possible to triangulatea location for the sending mobile device based on those measuredsignals. At action 1306, a premises map is generated using the devicelocations and the premises data. At action 1308, the premises map isprovided through a management interface, such as via a user'ssmartphone, on a computer display, or the like.

FIG. 14 illustrates a flow diagram depicting an example of a process1400 for processing event messages received from a message aggregatorcomponent in accordance with some embodiments of the present invention.As noted above, a message aggregator component may function to receiveevent messages from satellite devices and combine duplicate eventmessages for further processing. However, in order to ensure fastperformance of the queue of event messages monitored by the messageaggregator component, the message aggregator component may offloadprocessing of those aggregated messages to a network analysis componentof a controller. The process 1400 illustrates one example of a methodfor performing that processing by the network analysis component.

At action 1402, an aggregated event message is received. It should beappreciated that the term “aggregated” in this context merely refers toan event message that was processed by a message aggregator component,and that the aggregated event message may include only a single eventmessage. At action 1404, the event protocol of the aggregated eventmessage is determined. At action 1406, the aggregated event message isprocessed in accordance with the event protocol. For example, processingof the aggregated event message may include determining the context andpurpose of the message based on the message type and the attendantprotocol (e.g., whether the message is part of joining a network,transmitting data on the network, receiving data on the network, or thelike). Processing of the message may include transforming the messageinto a meta language that is protocol agnostic. The meta languagerepresentation of the message may be stored in a set of message metadataat action 1408, for use in generating network status data, determiningwhether rule criteria are satisfied, and in support of various otherfunctions of the network analysis system.

FIG. 15. Illustrates a flow diagram depicting an example of a process1500 for implementing a rules engine component in accordance with someembodiments of the present invention. As described above with respect toFIG. 8, a rules engine may be employed to determine whether particularrule criteria are satisfied by network status data and/or messagemetadata generated by a network analyzer component. In the event thecriteria for a rule are satisfied, the rules engine may take certainactions corresponding to the rule for which the criteria are satisfied.

At action 1502, rule configuration data is received. The ruleconfiguration data may include a set of rule criteria and a set ofactions to be performed in response to the rule criteria beingsatisfied. Some embodiments may include authoring tools and an authoringlanguage for specifying the rule criteria and appropriate actions, whileother embodiments may provide a list of eligible rules that a user mayselect from.

At action 1504, a set of message metadata is received, such as from anetwork analyzer component as described above. The message metadata mayinclude processed event messages that indicate when devices have joineda network, left a network, come into proximity with one or moresatellite devices, transmitted data to another device on the network,and/or the like.

At action 1506, the rule status criteria are determined based on themessage metadata to determine if the criteria are satisfied. If thecriteria are satisfied, the action associated with the rule isinitiated. For example, many rules may include generation of anotification to a management interface, user device, audio outputdevice, video output device, or the like. At action 1508, thenotification is generated, and at action 1510, the notification istransmitted to the device that is the target of the notification.

FIG. 16 illustrates a flow diagram depicting a process 1600 forperforming power management of a satellite device in a manner thatpreserves network security in accordance with embodiments of the presentinvention. As described above, the network analysis system enabled by acontroller and satellite devices provides many novel applications, manyof which relate to detection of security breaches and unauthorizeddevices. Accordingly, it is conceivable that some malicious users mightdesire to disable one or more components of the network analysis systemto subvert these security applications. One way that a malicious userwith physical access to a satellite device might attempt to do so wouldbe to simply unplug the satellite device from its AC power source.However, the process 1600 illustrates a mechanism for preserving homesecurity that may serve to thwart such a malicious user.

At action 1602, the process 1600 detects a loss of the primary powersupply of the satellite device. In response, at action 1604, thesatellite device switches over to battery backup power. However, sinceit is possible that the device was intentionally powered down to allow amalicious user to add an unauthorized device to the network, the switchto battery power at action 1604 may be accompanied by disabling anexternal indicator of power at action 1606. For example, if thesatellite device includes an LED indicator to indicate it is powered on,the LED indicator may be disabled in response to switching to batterypower. At action 1608, a notification may be transmitted to thecontroller for forwarding to a management interface to notify a user orother administrator of the loss of device power. In this manner, thesatellite device may continue to provide network security operationswhile letting a potential malicious user believe that they havesubverted the network security, increasing the likelihood the intrusionwill be noticed.

FIG. 17 illustrates a flow diagram depicting an example of a process1700 for utilizing a rules engine to provided improved home security inaccordance with some embodiments of the present invention. The process1700 illustrates how a location data derived from signal strengthreadings performed by satellite devices can generate a notification thatconfigures a camera to view a location corresponding to an unknowndevice.

At action 1702, the process 1700 detects an unknown device based on anevent message received from a satellite device. At action 1704, thelocation of the unknown device is determined, such as based on RSSIlocation determination techniques as described above. In response todetermining the location of the unknown device, at action 1706 anotification may be generated to a pan-tilt-zoom camera to direct thecamera to the identified location. In this manner, the camera system maybe automatically programmed to be directed to an unknown entity, thusimproving the user's home security system. For example, such a systemcould be used to identify a person with an unknown device approachingthe user's home from an odd direction (e.g., not the front door), or tofocus a camera on a visitor at the front door without having to manuallyopen the door.

Embodiments of the present invention have been described above withreference to block diagrams and flowchart illustrations of methods,apparatuses, systems and computer program products. It will beunderstood that each block of the circuit diagrams and processflowcharts, and combinations of blocks in the circuit diagrams andprocess flowcharts, respectively, can be implemented by various meansincluding computer program instructions. These computer programinstructions may be loaded onto a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the computer program product includes theinstructions which execute on the computer or other programmable dataprocessing apparatus create a means for implementing the functionsspecified in the flowchart block or blocks.

These computer program instructions may also be stored in acomputer-readable storage device that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablestorage device produce an article of manufacture includingcomputer-readable instructions for implementing the function discussedherein. The computer program instructions may also be loaded onto acomputer or other programmable data processing apparatus to cause aseries of operational steps to be performed on the computer or otherprogrammable apparatus, thereby producing a computer-implemented processsuch that the instructions executed on the computer or otherprogrammable apparatus cause performance of the steps and therebyimplement the functions discussed herein.

Accordingly, blocks of the block diagrams support combinations of meansfor performing the specified functions, combinations of steps forperforming the specified functions and program instruction means forperforming the specified functions. It will also be understood that eachblock of the circuit diagrams and process flowcharts, and combinationsof blocks in the circuit diagrams and process flowcharts, can beimplemented by special purpose hardware-based computer systems thatperform the specified functions or steps, or combinations of specialpurpose hardware and computer instructions.

Some additional embodiments may allow consumers to manage their devicesand networks through an app or Web portal. Embodiments may also includea call center component, providing CSRs valuable insight to help targethelp and advice for troubleshooting, diagnosing, and recommending.Embodiments may help manage multiple devices, agnostic to manufacturer,type of device, operating system and network. Embodiments may enabletroubleshooting through easy on device guides and a dashboard thatillustrates where network connections and devices are failing. Wherepersonal help is needed, 24/7 Live Support may be just a call, text,chat or email away.

Embodiments may also Block intruders who hitchhike on network andmonitor the network for malware. Further embodiments may registers andkeep track of warranties, extended service contracts, credit card doublemanufacturer warranties, and retail offerings. Embodiments may alsoprovide reminders for services due (such as complimentary cleanings),notifications for software upgrades, relevant new peripherals, andproduct recalls. Some embodiments may alert users to expiringentitlements and product recalls. Embodiments may also provide easyaccess to user manuals.

Some embodiments may provide protection across devices for accidentaland mechanical breakdowns, loss and theft, damage for power shortages,etc. and ID theft protection and assist with filing of claims. Someembodiments provide repair and loaners services and help put the user intouch with an appropriate repair facility and/or handle the repair onthe consumer's behalf.

Some embodiments may provide personal advice for purchases related toyour network devices, networks, and routers to help insureinteroperability and compatibility based on actual usage needs andhistory for the individual. Embodiments may provide relevant contextualhelp and solutions. Some embodiments may provide an easy way to migrateaway from old devices and upgrade to new devices and networks throughproviding trade in value, determining a venue for selling devices,personalized recommendations for new devices and network, and the like.Some embodiments may also include a loyalty component, with additionalor added benefits based on length of subscription, number of devicesattached to the network, or the like.

Embodiments may provide relevant functionality through a variety of userinterfaces. For example, embodiments may provide dashboards to provide ahigh level overview into the health, connections and performance ofdevices individually and as a connected network. A “Getting Started”interface may assist users with registration and set up the devices tobe monitored and proper network configurations.

During device registration, embodiments may collect key information inorder to complete OEM registration and begin tracking of entitlements(e.g., warranties or replacement plans). Such entitlements may includeretailer offers provided at POS (e.g., annual cleanings), OEM offers andupgrades, home owners insurance riders/core coverage, or credit cardbenefits (e.g., double manufacturer warranties, 90 day protection, andother features). Embodiments may also populate a section with usermanuals or links to user manuals for registered devices.

Some embodiments may provide step by step set up instructions, identifycompatibility issues, and provide tips and tricks for setting updevices. Such tips and tricks may include personalized, timely,appropriate recommendations for additional products and services tosupport devices and networks.

Embodiments may also provide regular maintenance services such asassisting with helping diagnose small problems before they become bigones, assisting users with troubleshooting problems through on device,crowd-sourced and live tech support, helping predict future issues suchas storage limitations, battery, connectivity issues, monitoring thesecurity of the network, preventing malware and hitchhikers, andproviding protection for and one click claims service. Such claims mayinclude claims for services covering loss, accidental damage, mechanicalbreakdown, theft/burglary, malware, identity theft, or the like. Someembodiments may provide information personalized to the user, devices,and/or networks.

Some embodiments may provide alerts and/or notifications related toentitlements (e.g., expiring, new offers, reminders), device andnetwork(s) issues, device and network specific notices (e.g., upgrades,new solutions to solve common dilemmas), safety/security concerns (e.g.,malware detected; hitchhikers detected), and/or relevant help related to“devices” connected (e.g. car alerts you that the brake pads are runningthin, sends alert and helps solve the problem with a close by and goodprice repair solution).

Embodiments may also assist with making changes to the network anddevices/migration (e.g., adding to and retiring devices and/ornetwork(s)). Embodiments may assist with adding new devices, newnetworks and migrating away from old devices, old networks, and oldperipherals.

Some embodiments may provide advice based on users habits as monitoredby the digital concierge, the user's particular needs, and knowledge ofthe user's existing network and compatibility/interoperabilityconsiderations to provide counsel and guidance on new purchases.

Some embodiments may provide an independent estimate for the value of adevice for a trade in based upon the condition of the device, includinga certification of the device's status based on the results of a devicediagnostic.

Some embodiments may assist with the purchase of new devices. Suchembodiments may provide venues and price guarantees for new productpurchases and access to used/rebuilt/customized (with all settings andfeatures)/certified devices.

Some embodiments may provide the ability to cover device by extendingexisting protection coverage where coverage already exists for device(s)and/or network(s) or to begin coverage process with new purchases. Someembodiments may assist with data back up and data transfer operations tofacilitate migration to new devices. Such migration may includeproviding back up and transfer of data. Embodiments may perform suchmigration by restoring settings, even across platforms or operatingsystems.

Embodiments may also provide a customer service dashboard and tools. Forexample, a dashboard may provide insights into the customer's devicesand connections, apps and behavior of the consumer with the device.Embodiments may also include a recommendation tool to assist a customerservice representative with obtaining information on devices andnetworks and peripherals to best solve the customer's problems.

Embodiments may also include tracking historical information to assistcustomer service representatives with predicting problems. Someembodiments provide a complete view of the consumer's prior activity,including previous tickets, all devices, all connections, and/or allnetworks. Embodiments may possess the ability to handle cross sells of,for example, insurance products.

Some embodiments may leverage the use of aggregated data to providedevice diagnostic, detection, and management functions. For example,devices may measure device and network performance over time and basedon the manner in which the device is used by the user. Embodiments maydetermine how other devices and networks perform in comparison. Someembodiments may identify a trade in condition of one or more devices,and determine how the device rates/ranks for its age and type and truefair market value based on actual condition of the device.

Embodiments may provide personalized offers based on the device types ofconnected devices, the user's network, and the user's behaviors withtheir devices and networks. Embodiments may also monitor and facilitatedevice migration behavior. For example, embodiments may track andfacilitate switching behavior, including tracking the makes and modelsof devices and networks; track a number of months to upgrade; and/ortrack the effect of protection on switching behavior, upgrades, andtrade-ins. Embodiments may also provide recommendations based on userbehavior, devices, networks, and/or a determined level of “techsavvyness” assigned to the user. Some embodiments may also how tips andtricks are provided to the user, such as based on contextual need, atech savvyness score, the presence of a particular device, or theoverall status of the network. Some embodiments may include predictivealerts to anticipated device problems based on known device issues,model, age of device, or device behavior pre event. Embodiments may alsomeasure performance to identify what devices and networks perform bestfor whom and under what circumstances.

Many modifications and other embodiments of the inventions set forthherein will come to mind to one skilled in the art to which theseembodiments of the invention pertain having the benefit of the teachingspresented in the foregoing descriptions and the associated drawings.Therefore, it is to be understood that the embodiments of the inventionare not to be limited to the specific embodiments disclosed and thatmodifications and other embodiments are intended to be included withinthe scope of the appended claims. Although specific terms are employedherein, they are used in a generic and descriptive sense only and notfor purposes of limitation.

What is claimed is:
 1. A system for providing computer network analysiscomprising: at least one satellite device configured to: monitorwireless traffic within a network to determine at least one networkcommunication event between a first network device and a second networkdevice the first network device and the second network device both beingdifferent devices from the satellite device; generate an event messagebased on the at least one network communication event; and transmit theevent message; and a controller device configured to: receive the eventmessage; determine an identity of at least one device communicatingduring the network communication event; determine a network status basedat least in part on the identity of the at least one device; perform acomparison of the network status to a predetermined rule set; initiate aresponsive action based at least in part on the comparison to thepredetermined rule set, wherein the responsive action comprisesautomatically altering a configuration of the first network device orthe second network device and automatically altering a topologicalfeature of the network; and provide the network status and an indicationof the responsive action via a management interface.
 2. The system ofclaim 1, wherein the event message comprises a signal strength of thenetwork communication event and wherein the controller device is furtherconfigured to determine a location of the at least one device based atleast in part on the signal strength.
 3. The system of claim 1, whereinthe event message comprises a protocol identifier.
 4. The system ofclaim 1, wherein the controller device is further configured to identifya device type for the at least one device based at least in part on theevent message.
 5. The system of claim 1, wherein the at least onesatellite device is further configured to monitor the wireless networktraffic by detecting network transmissions between the first networkdevice and the second network device, the first network device and thesecond network device both being different devices from the controllerdevice.
 6. The system of claim 1, wherein the event message comprises apacket header of the network communication event.
 7. The system of claim1, wherein a clock of the at least one satellite device and a clock ofthe controller device are synchronized with one another.
 8. The systemof claim 7, wherein the event message comprises a timestamp derivedbased on a reading from the clock of the at least one satellite device.9. The system of claim 1, wherein the network communication event is anetwork message transmitted according to an 802.11 protocol, a ZigBeeprotocol, or a Bluetooth protocol.
 10. A method for providing a networkanalysis system, the method comprising: receiving, at a controllerdevice, a first event message from a first satellite device, the firstevent message comprising content based on a first network communicationevent between a first network device and a second network device withina network, the first network device and the second network device bothbeing different devices from the first satellite device; receiving, atthe controller device, a second event message from a second satellitedevice, the second event message comprising content based on a secondnetwork communication event between a third network device and a fourthnetwork device; processing, by the controller device, the first eventmessage and the second event message to determine a network status,wherein the network status comprises an indicator of the presence ofeach of the first, second, third, and fourth network devices; performinga comparison of the network status to a predetermined rule set; andinitiating a responsive action based at least in part on the comparisonto the predetermined rule set, wherein the responsive action comprisesautomatically altering a configuration of the first network device orthe second network device and automatically altering a topologicalfeature of the network.
 11. The method of claim 10, wherein the firstevent message comprises a signal strength of the first networkcommunication event and wherein the controller device is furtherconfigured to determine a location of the first network device based atleast in part on the signal strength.
 12. The method of claim 10,wherein the first event message comprises a protocol identifier.
 13. Themethod of claim 10, wherein the controller device is further configuredto identify a device type for each of the first network device and thesecond network device based at least in part on the first event message.14. The method of claim 10, wherein the at least one satellite device isfurther configured to monitor the wireless network traffic by detectingnetwork transmissions between a first network device and a secondnetwork device, the first network device and the second network deviceboth being different devices from the controller device.
 15. The methodof claim 10, wherein the event message comprises a packet header of thenetwork communication event.
 16. The method of claim 10, furthercomprising synchronizing a clock of at least the first satellite deviceand a clock of the controller device.
 17. The method of claim 16,wherein the event message comprises a timestamp derived based on areading from the clock of the at least one satellite device.
 18. Anapparatus for providing computer network analysis comprising a processorcoupled to a memory, the apparatus configured to: receive an eventmessage, the event message based on at least one network communicationevent monitored by a satellite device within a network; determine anidentity of at least one device communicating during the networkcommunication event; determine a network status based at least in parton the identity of the at least one device; perform a comparison of thenetwork status to a predetermined rule set; initiate a responsive actionbased at least in part on the comparison to the predetermined rule set,wherein the responsive action comprises automatically altering aconfiguration of the at least one device and automatically altering atopological feature of the network; and provide the network status andan indication of the responsive action via a management interface. 19.The apparatus of claim 18, wherein the event message comprises a signalstrength of the network communication event and wherein the apparatus isfurther configured to determine a location of the at least one devicebased at least in part on the signal strength.
 20. The apparatus ofclaim 17 further configured to identify a device type for the at leastone device based at least in part on the event message.
 21. The methodof claim 1, wherein the responsive action further comprises activating asecurity system.
 22. The method of claim 1, wherein the responsiveaction further comprises blocking a communications device.
 23. Themethod of claim 1, wherein the responsive action further comprisescausing a camera to be directed to a particular location.
 24. The methodof claim 1, wherein the responsive action further comprises initiating atraffic monitoring operation between at least two communicationsdevices.
 25. The method of claim 1, wherein the responsive actionfurther comprises generating a notification to an external system,wherein the external system comprises a loudspeaker.